On Sep 11, 2008, at 12:59 AM, Pekka Savola wrote:
A problem I have with these discussions is that everyone has their
own idea what "BCP38" implies. Others say their loose-mode uRPF
setups are "BCP38". Others are using strict uRPF or similar (e.g.
acls). Some think that Tier1 transit operators should apply one of
the options above to their tier2 customers. Others think it should
just be applied at the site-edges. Some don't consider spoofing
protection at LAN interface level at all, others call that also
BCP38. Etc.
Honestly, *anything* is better than most of what's out there, which is
*nothing*.
Loose mode URPF is seems (IMHO) pretty much waste of time and is
confusing the discussion about real spoofing protection. The added
protection compared to ACLs that drop private and possibly bogons is
not that big and it causes transient losses when the routing tables
are changing.
I disagree. But I will say that if everyone would apply strict mode
or ACLs to their end point interfaces, this would likely make most of
the loose mode irrelevant.
And your arguments about BGP changes affecting loose mode are only
problematic on the busiest peering ports. Loose mode works perfectly
fine with zero drops (even on Cisco) on anything smaller than a full
feed (ie, that ISP client of yours you do BGP with)
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
